https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512411#M106477 <P>I followed these instructions to set up ISP failover :&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO</A></P> <P>&nbsp;</P> <P>When the primary ISP1 goes down, it does indeed fail over to secondary ISP2, in every respect except that traffic doesn't use ISP2's NAT automatically. Upon failover, traffic continues trying to use the NAT rule associated with ISP1.&nbsp; I have to manually go in and DISABLE ISP1's NAT rule, then traffic starts automatically flowing as expected via the NAT rule that exists for ISP2.</P> <P>&nbsp;</P> <P>What can I do so that this NAT switch happens automatically upon failover?&nbsp;</P> Fri, 19 Aug 2022 21:48:11 GMT pomologist 2022-08-19T21:48:11Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512411#M106477 <P>I followed these instructions to set up ISP failover :&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO</A></P> <P>&nbsp;</P> <P>When the primary ISP1 goes down, it does indeed fail over to secondary ISP2, in every respect except that traffic doesn't use ISP2's NAT automatically. Upon failover, traffic continues trying to use the NAT rule associated with ISP1.&nbsp; I have to manually go in and DISABLE ISP1's NAT rule, then traffic starts automatically flowing as expected via the NAT rule that exists for ISP2.</P> <P>&nbsp;</P> <P>What can I do so that this NAT switch happens automatically upon failover?&nbsp;</P> Fri, 19 Aug 2022 21:48:11 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512411#M106477 pomologist 2022-08-19T21:48:11Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512458#M106485 <P>Update:</P> <P>Here are two screenshots that I hope will make things clearer.&nbsp;</P> <P>&nbsp;</P> <P>Something bizarre is going on.&nbsp; ISP1 uses Eth1/1 Interface.&nbsp; ISP2 uses Eth1/2 interface.&nbsp; Bizarre thing is that <STRONG>Eth1/1 traffic is NATing through Eth 1/2's NAT rule&nbsp;</STRONG><STRONG>successfully</STRONG>!&nbsp; See photos.&nbsp; What's going on? HELP!</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Shot 2.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43232i37D1CE785828B350/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Shot 2.jpg" alt="Shot 2.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Shot 1.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43233i6E07C03B265843F3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Shot 1.jpg" alt="Shot 1.jpg" /></span></P> Sun, 21 Aug 2022 15:49:24 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512458#M106485 pomologist 2022-08-21T15:49:24Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512520#M106496 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176255">@pomologist</a> ,</P> <P>Looking at your screenshot it seems you have missed one key component when configuring the NAT rules - Destination Interface.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_0-1661167836263.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43257iC8B9B0D5F517DF02/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Astardzhiev_0-1661167836263.png" alt="Astardzhiev_0-1661167836263.png" /></span></P> <P>&nbsp;</P> <P>NAT rules are evaluated the same way as security rules - first match, top to bottom.</P> <P>When you configured only source and destination zone for the NAT (using any for source/dest IPs) traffic will always hit the first rule and never reach the second one.</P> <P>&nbsp;</P> <P>For that reason you must configure "Destination Interface", this will add the egressing interface as part of the matching criteria when evaluating the NAT rules.</P> <P><BR />So when your primary ISP is up and traffic is using the primary default route your egress/destination interface will be eth1/1 (primary internet).</P> <P>When primary ISP is down and path monitor "disable" the primary default, traffic will take the backup default, buth this means egress/destination interface will be different, so this traffic will no longer match the first NAT rule and NAT evaluation will keep looking down reaching the second NAT rule.</P> <P>&nbsp;</P> <P>Hope that make sense</P> Mon, 22 Aug 2022 11:34:19 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512520#M106496 aleksandar.astardzhiev 2022-08-22T11:34:19Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512537#M106502 <P>THANK YOU SO MUCH!!! I don't know how I missed that!&nbsp; Yes of course it makes perfect sense.&nbsp; I so much appreciate you pointing this out.</P> Mon, 22 Aug 2022 13:39:43 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-dual-isp-failover/m-p/512537#M106502 pomologist 2022-08-22T13:39:43Z